WEBVTT

00:00.410 --> 00:06.430
Hello, my name is Steve Bowen and in this lecture you will learn wireshark packet capture approach,

00:06.440 --> 00:10.310
wireshark dependencies, capture filters, etcetera in detail.

00:10.310 --> 00:17.510
In this section we are covering basics to get you started with Wireshark and here in order to start

00:17.510 --> 00:23.510
the Wireshark, you can also go to the application menus here and write Wireshark in the search button

00:23.510 --> 00:28.550
and you need to start Wireshark as a root user with superuser privileges.

00:28.550 --> 00:30.410
You can enter the password.

00:30.410 --> 00:31.040
When you win.

00:31.040 --> 00:37.130
This dialog appears and you can see the everything you need, the network adapters and so on.

00:37.130 --> 00:41.600
So you can also start the Wireshark from the terminal in order to start terminal.

00:41.780 --> 00:47.960
If you if you just write the Wireshark here and here, as you can see here, we can see the Ethernet

00:47.960 --> 00:50.030
or any network interface cards.

00:50.030 --> 00:58.010
That's why we need to start Wireshark on Sudo Wireshark you will enter the password and that's it.

00:58.010 --> 01:04.470
Once the application is launched, the main interface is shown, including sections for basic capture

01:04.470 --> 01:07.470
controls, capture filters and display filters.

01:07.470 --> 01:13.200
Now you will select the desired interface from the list by clicking and hit the start capture button

01:13.200 --> 01:13.740
to capture.

01:13.740 --> 01:18.370
In this case, we have the Ethernet zero and any you can also select any you.

01:18.390 --> 01:23.100
In this case it will also listen to Bluetooth, to wifi and so on.

01:23.100 --> 01:27.540
In this case we will select the Ethernet because we don't have any connected device.

01:27.540 --> 01:30.900
So the internet and here, that's it.

01:30.900 --> 01:33.480
So we started the Ethernet if anything occurs.

01:33.480 --> 01:35.670
And as you can see here, our.

01:38.220 --> 01:40.490
Router and switches are talking.

01:40.500 --> 01:44.100
And here, as you can see here, who has this IP address.

01:44.100 --> 01:45.690
Tell to this IP address.

01:45.690 --> 01:49.800
And as you can see here, there's a like I'm so excited with Wireshark here.

01:49.800 --> 01:52.890
So here we have we can start the capture here.

01:52.890 --> 01:58.710
So the capture from here and you can specify the filters and that's it.

01:58.800 --> 02:07.200
So when capture is in progress by default, it shows live the packets being captured in various colors.

02:07.470 --> 02:12.750
And we can start again here so we can go to our vulnerable web application here.

02:12.750 --> 02:15.300
In this case, it's target.com.

02:15.300 --> 02:16.740
And let's log out.

02:16.740 --> 02:24.240
And whenever we are doing something on the Wireshark or whenever someone does something on our local

02:24.240 --> 02:30.630
area network, it will show us the exact bytes, byte by byte representation.

02:30.720 --> 02:35.760
And here we can start stop capture with this buttons here.

02:35.760 --> 02:38.830
And let's first understand the packets here.

02:38.830 --> 02:39.370
Right?

02:39.790 --> 02:43.690
So it's time to investigate a capture at the individual level.

02:44.610 --> 02:48.980
And this is an example of one of the TCP packets captured here.

02:48.990 --> 02:49.950
Now, we will.

02:50.730 --> 02:53.040
Go to here and enter our password.

02:53.040 --> 02:53.400
Right?

02:53.400 --> 03:00.600
So that's for example, consider this as a Facebook or any banking website here.

03:00.600 --> 03:05.910
So now we will have admin and we'll enter our password and that's it.

03:05.940 --> 03:08.820
Now, Wireshark should capture this.

03:08.970 --> 03:12.090
And here, as you can see here, we are seeing something.

03:12.090 --> 03:13.740
Let's actually stop it now.

03:13.740 --> 03:14.820
We will analyze it.

03:14.820 --> 03:19.890
And here we are seeing something neat to see like login here, login, PHP and as you can see here,

03:19.890 --> 03:24.210
its application w-w-w form URL encoded here.

03:24.210 --> 03:28.290
So now let's select this by clicking on it.

03:28.290 --> 03:33.810
You can select the packets and here in this here you the packets details will appear.

03:33.840 --> 03:35.190
Let's actually use the.

03:37.050 --> 03:38.070
Grommet here.

03:38.070 --> 03:40.200
I will draw links on the screen.

03:40.320 --> 03:41.220
That's it.

03:43.670 --> 03:46.460
And here we have the.

03:53.260 --> 03:54.590
Let's start the grommet.

03:54.610 --> 03:57.400
Here we have tool painting, clear screen and.

03:58.400 --> 03:59.060
Yes.

04:00.870 --> 04:03.090
As you can see, we have also have the.

04:05.140 --> 04:06.640
Application drawing thing.

04:06.670 --> 04:07.370
That's it.

04:07.390 --> 04:11.020
So now when a packet is selected.

04:11.050 --> 04:15.130
Wireshark opens the bottom panel.

04:15.160 --> 04:19.850
Here you can see here, bottom panel, this is the bottom panel of Wireshark.

04:19.870 --> 04:25.960
So this bottom panel, which gives us important information of the on the features that are conveniently

04:25.960 --> 04:31.180
presented in the same way as the OSI model.

04:31.180 --> 04:36.430
So the number of layers seen changes as the protocol selected changes here in this example from the

04:36.430 --> 04:39.430
top down, we can see the frame layer.

04:39.700 --> 04:48.460
It has the protocol Http, as you can see here, and it's in the Ethernet data link layer.

04:48.460 --> 04:52.990
And the we can also see the IP network layer.

04:53.110 --> 04:59.170
We have Ethernet to Internet protocol version four source address and destination address transmission

04:59.410 --> 05:03.340
protocol and we have port and so on.

05:03.340 --> 05:10.950
And we also have the hypertext hyper protocol, which we will get some pretty confident information,

05:10.950 --> 05:13.470
confidential information from that here.

05:13.470 --> 05:18.470
So we will get the passwords we entered the last time we visited our website, right?

05:18.480 --> 05:25.560
So if there are more layers or headers in the packet, it is sequentially decoded in the Wireshark packet

05:25.560 --> 05:25.800
view.

05:25.830 --> 05:32.310
So for a packet with multiple encapsulated protocols to decode it properly, there must be a dissector

05:32.310 --> 05:35.790
available that decodes the corresponding protocol layer.

05:35.790 --> 05:39.180
So every packet decode starts with a frame.

05:39.180 --> 05:40.860
The sector, right.

05:41.370 --> 05:48.650
It dissects the detail of the captured metadata itself, as you can tell it the timestamps.

05:48.660 --> 05:49.040
Right.

05:49.050 --> 05:55.260
So the, the frame, the sector passes the data to the lowest level data, the sector in the data link

05:55.260 --> 06:02.460
layer, for example, the Ethernet Ethernet, the sector gets triggered from the for the Ethernet heater.

06:02.460 --> 06:09.200
So the packet is then passed to the next sector and the network layer, for example, IPV, IP version

06:09.200 --> 06:13.340
four or version six, the sector gets triggered and so on.

06:13.340 --> 06:22.040
So each stage of the sector decodes and displays the details of the packet and the sectors can be righted

06:22.040 --> 06:30.830
as Self-registering plugin, for example, a shared library or DLL or built into Wireshark source code.

06:30.830 --> 06:37.220
So the biggest benefit of going with the plugin approach is that rebuilding a plugin is much faster

06:37.220 --> 06:43.790
and if the the sector is built into the source code, the wireshark needs to be completely recompiled

06:43.790 --> 06:44.720
and rebuilt.

06:44.720 --> 06:47.810
Hence it makes more sense to variety the sector as a plugin.

06:47.810 --> 06:48.260
Right?

06:48.260 --> 06:54.080
So you will learn more details on these sectors in next lectures also.

06:54.080 --> 06:59.180
But let's firstly get started with the capture filters in Wireshark.

06:59.180 --> 07:04.760
So we will discuss in detail capture filters in the next lectures, but only basics have been included

07:04.760 --> 07:09.710
here in this section for completeness on getting started discussion.

07:09.710 --> 07:17.600
So capture filters are used to decrease the size of captures by filtering out only relevant packets,

07:17.600 --> 07:21.440
matching the condition before they are added to the capture file.

07:21.830 --> 07:27.740
So clicking on the capture options button shows a screen containing a list of interfaces.

07:27.830 --> 07:34.790
So in order to do that, you will need to find this setting icon and it's usually there.

07:35.060 --> 07:39.980
And here when clicking on that, you will see this dialog here.

07:39.980 --> 07:48.080
So to set a filter, either an interface can be double clicked like this or a custom filter can be entered

07:48.080 --> 07:49.490
in the box.

07:49.490 --> 07:50.060
Right?

07:50.060 --> 07:58.460
So now we will open the again or before that let's actually enter our.

08:01.040 --> 08:03.380
Password again because our.

08:04.360 --> 08:10.090
Previous packet analysis is lost because we don't save them as earth here.

08:10.090 --> 08:11.170
And that's it.

08:11.770 --> 08:14.460
And now we're going to see the post login here.

08:14.470 --> 08:16.960
This is usually the login pages.

08:18.030 --> 08:19.860
Uh, that uses the post method.

08:20.600 --> 08:23.870
And here now, we will go to that again.

08:23.870 --> 08:25.400
So we stopped the filter.

08:25.490 --> 08:30.830
And here we as I said, you can double click on the capture options.

08:30.830 --> 08:37.760
But remember, before double clicking on any interface on this dialog, you need to save the file in

08:37.760 --> 08:41.210
order to not get lost and captured interface.

08:41.210 --> 08:51.110
So here to set a filter, you can also select a custom filter can be entered in the text box.

08:51.200 --> 08:58.160
So there's a list here that shows example of simple capture filters.

08:58.160 --> 09:06.080
For example, we can use the SRC here SQ Host so we will enter the SRC.

09:06.110 --> 09:09.440
Host So let's actually scan our host with Nmap.

09:09.440 --> 09:11.390
So nmap sv here.

09:11.990 --> 09:12.770
Typhoon.

09:13.100 --> 09:16.610
Typhoon target.com.

09:16.610 --> 09:24.320
And now we will get that host domain IP address, IP version four address and now.

09:26.460 --> 09:27.060
Sorry.

09:29.440 --> 09:34.660
We'll just put this and here, yes, we can see the IP address here.

09:35.410 --> 09:46.480
192168 13 142 And now we will use this filter to just listen to the packets from this host.

09:46.810 --> 09:51.520
And here, in order to do that, we will just write that IP address down.

09:55.160 --> 10:06.110
Because 13 point yes, one for two and you can press on start and we can also save them before starting

10:06.110 --> 10:10.100
a new capture or we will not save them in this course.

10:10.100 --> 10:16.430
And as you can see here, whenever we restart this page, there is something new will come here.

10:16.430 --> 10:17.930
And as you can see here, it's.

10:19.140 --> 10:20.490
The new information is gathering.

10:20.490 --> 10:23.270
So now we will go press on logout.

10:23.280 --> 10:32.640
And here we also have this 302 font and we can read it from the hypertext transfer protocol.

10:33.810 --> 10:35.130
We have no cash.

10:36.210 --> 10:37.410
Connect type.

10:37.440 --> 10:38.550
Connect length.

10:38.550 --> 10:39.870
And so on.

10:39.990 --> 10:44.130
Now, what are we going to do is we will do that example again.

10:44.130 --> 10:49.110
We will enter our passwords, in this case admin and our password.

10:49.110 --> 10:49.590
That's it.

10:49.590 --> 10:50.670
And click on login.

10:50.670 --> 10:56.610
And here, as you can see here, we are seeing that familiar post request again.

10:59.260 --> 10:59.740
Yes.

11:01.530 --> 11:02.700
We have this, this.

11:02.700 --> 11:03.540
This here.

11:10.720 --> 11:15.340
Let's log and log out again and admin here and.

11:17.990 --> 11:18.800
Passport.

11:23.060 --> 11:26.000
And here, as you can see here, we have several information here.

11:26.000 --> 11:28.160
So you can also use another.

11:30.280 --> 11:32.350
Filters as well like.

11:32.380 --> 11:33.060
Net.

11:33.070 --> 11:33.640
Right.

11:33.640 --> 11:36.520
So we can with this net here.

11:37.850 --> 11:41.630
And you will need to delete this and 24 subnet mask.

11:41.630 --> 11:49.280
So we will listen to the packets to and from all host part of the network here.

11:49.280 --> 11:53.090
So from 0 to 255 IP address.

11:53.090 --> 11:53.730
Right, right.

11:53.810 --> 12:03.530
So we can also use the port here port and we will listen to only packets that.

12:05.940 --> 12:07.800
Connected within this port here.

12:07.800 --> 12:10.440
So communicating with this port here and.

12:11.460 --> 12:16.770
Now, since we are communicating on Port 80, we will see informations here.

12:19.380 --> 12:25.820
And we also have the display filters on Wireshark, which we will discuss in next lecture.

12:25.830 --> 12:29.040
My name is Stefan and I'm waiting you in the next lecture.